Re: [#1298868584] Copy&paste from web browser considered dangerous

["Google Security" <security@xxxxxxxxxx>]

Hi Pavel,

Since Chrome is based on Chromium (an open source project), please file
the report directly in their bug tracker: http://crbug.com

The provides a number of benefits: 
- You get direct access to the same developers that will triage and fix
the issue; and 
- Once it's fixed, the bug will be made public (though if you use the
"Security Bug" template, the bug will be restricted to a small group of
security engineers until this occurs). 

Regards,

The Google Team



Original Message Follows:
------------------------
From: Pavel Machek <pavel@xxxxxx>
Subject: Copy&paste from web browser considered dangerous
Date: Sat, 1 Jun 2013 15:46:00 +0200

> Hi!
> 
> Apparently this is known for years, but... there are many legitimate
> websites that expect you to copy&paste into terminal, but it is very
> easy to paste something you did not want to. Demo is at
> 
> http://thejh.net/misc/website-terminal-copy-paste
> 
> I believe it is a bug in the web browser: if text was invisible on the
> page, it should not go to the buffer. Javascript should not be able
> play tricks with that.
> 
> Or alternatively, if text on screen differs from text going to
> copy-paste buffer, warning with new text should be displayed. 
> 
> (security@google cc-ed, at least chromium on debian 6 is affected).
>                                                                       Pavel
> -- 
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures)
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
>